Cyber Defense eMagazine August Edition for 2021

More documents

Recommendations

Info

When designing a product, you need to think beyond what you are building your product to do and consider any use cases you might not have considered. For example, consider a server platform that is embedded into an MRI machine in a hospital. A data center is a very different environment than a hospital basement. You have to think holistically about your product and think through the security implications of unintended use cases down the road. Hackers use this philosophy, using devices in completely unexpected ways to uncover potential vulnerabilities. It’s hard to imagine all the potential use cases for a particular device (or how bad actors might attack it), so you need to proactively think of security in layers, and design in defense in depth so that no single exploit is likely to be successful. 2. What’s the first thing that needs to happen when creating a new product? From an architecture standpoint, you have to think about how a device might come under attack. That could include hardware, firmware, OS, application, and connectivity types of attacks. Using a ‘design for security’ mindset, you must think about all these security attack scenarios because the weakest link breaks the chain. For example, when thinking about making airplanes safe, designers build in redundancy, so a single failure isn’t likely to cause a crash. But they also consider passenger safety and how best to exit planes quickly. They have robust communications and procedures for what to do if communications are down and many, many other aspects that comprise a safer airplane trip. This same mindset exists in technology, with many security layers built into products from the beginning. An adversary will avoid heavily protected elements of a product and look for the easiest way to break the system. This means threat modeling needs to be one of the first things to happen when building a product. You can threat model everything from environmental factors and natural disasters to global geopolitics, or you can narrow it down to something like a network or access to a system. It’s about guarding against bad outcomes. Mature organizations often have teams of researchers dedicated to creating and evaluating threat models. 3. How do you prioritize security when designing and developing a new product? Once you get into actual design and development, you want to be able to catch known security threats. That process is part of the Secure Development Lifecycle or SDL. SDL is a series of processes that implement security principles and privacy tenets into product development to help support engineers, developers, and researchers. These processes incorporate security-minded engineering and testing at the onset of product development when it’s more effective and efficient to employ. Not only does it include knowledge sharing, but also tools and services that, for example, allow someone to run checks against code. You can imagine the number of checks over time becomes massive, so you need a process that’s efficient and scales to help teams to better ensure they can catch security vulnerabilities. Automation plays a vital role here. This involves using tools that embed these checks and automate the process so designers can run a multitude of complex security checks with a click of a button. Our teams are constantly working to stay ahead of attackers by trying to find these issues and vulnerabilities before an attacker can exploit them. Beyond the SDL, other initiatives play a major role around security, including training, conferences, Product Security Incident Response Teams (or PSIRTs), bug bounty programs, offensive and defensive research, and industry collaboration. Cyber Defense eMagazine – August 2021 Edition 34 Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
4. Is there some sort of final security check involved before a product goes to market? There’s no single security check, but rather the completion of a gauntlet of checks, that makes a product ready for market. Even early in the Intel development process, a product generally is required to meet appropriate security milestones at that development phase in order to proceed forward. At Intel, we don’t just check for security at the end. It is an integral part of the entire development process. We have a team of more than 200 security researchers internally, and they work with the product teams collaboratively to evaluate the products throughout development. Our teams work to find and mitigate potential vulnerabilities through internal code reviews, red team activities such as Hack-A-Thons, and other events before products go to market. The data we collect is then used to develop automation and required training to help eliminate future occurrences. We also partner with the external research community, which is full of extremely smart and creative people. We want them working with us, making our platforms better. Sometimes this is known as “Crowdsourced Security” and can include bug bounty programs which provide incentives to researchers to report vulnerabilities. 5. What happens if researchers identify a major vulnerability via bug bounty programs after the product is already in the field? At a high level (and this can differ depending on the vulnerability), products with a vulnerability initially go to PSIRTs. At Intel, this team engages with the researcher that uncovered the issue and does the preliminary evaluation to validate and replicate the issue. Then very quickly, it’s triaged with Intel experts for that specific platform area who drop everything to prioritize resolution of the issue. Finding and deploying mitigations for the issue could take days, weeks, or months, depending on the complexity. In the meantime, because Intel follows the common industry practice of Coordinated Vulnerability Disclosure (CVD) for reported security vulnerabilities on launched products, we align with the researchers on a date to publicly disclose the issue to allow time to identify and deploy mitigations, in order to reduce adversary advantage. Then once we have a mitigation, we need to help ensure that mitigation doesn’t create other unintended problems. Before rolling it out into customer environments, we need to make sure we understand the full extent of its potential impact. First, internally we do what’s called ‘no harm testing’. Later, we do more robust testing with partners and then roll out the update to customers in a coordinated fashion. When possible, we bundle updates together so they can be validated together to save time and money for the customers. In addition to practicing inbound CVD in partnership with external security researchers, Intel also coordinates outbound vulnerability disclosure with industry partners and other external stakeholders, as appropriate, so that all affected parties are disclosing in unison for an optimal defensive position. It’s all about coordinated disclosure. 6. What role does working with the larger hardware community play in designing for security? Compute is a complex endeavor that involves hardware from multiple vendors, firmware, operating systems, and applications. And of course, if your hardware goes online, which more and more of it does with the expansion of the Internet of Things, you must strive to secure compute systems across entire ecosystems. We’re really in an interesting time now. With so many connected and smart systems, we must consider security and privacy in every design decision for every product we create. These topics require broad discussion and collaboration, and they deserve our detailed attention to ethical considerations. Cyber Defense eMagazine – August 2021 Edition 35 Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.
Page 1 and 2: Understanding The Importance of Des
Page 3 and 4: From Security-Enhanced 5G Networks
Page 5 and 6: @CYBERDEFENSEMAG InfoSec Knowledge
Page 7 and 8: Cyber Defense eMagazine - August 20
Page 33: Understanding The Importance of Des
Page 37 and 38: Evaluating Security Practices in Re
Page 39 and 40: After answering these questions and
Page 41 and 42: • Microsoft released patches for
Page 43 and 44: Four Ways Smart Cities Can Stay Saf
Page 45 and 46: From the technology perspective, th
Page 47 and 48: The Psychology of a Cybercriminal M
Page 49 and 50: Hacktivism One often-overlooked cyb
Page 51 and 52: A 2019 study revealed that 91% of e
Page 53 and 54: • Regularly check and update your
Page 55 and 56: ● ● Regulatory fines and penalt
Page 57 and 58: But how can leaders prepare for a r
Page 59 and 60: Black Market as Sustainable Ecosyst
Page 61 and 62: shopping centers, trade malls and t
Page 63 and 64: PKI Rises to the Challenge Using X.
Page 65 and 66: 7. Application Code Signing Code si
Page 67 and 68: Greater IT Freedom with Tighter IT
Page 69 and 70: Ninety percent of respondents say e
Page 71 and 72: A PETs-Enabled Path to Secure & Pri
Page 73 and 74: is important that all internal stak
Page 75 and 76: Automated scanning is not enough Ma
Page 77 and 78: continuous game of catching up each
Page 79 and 80: Top Tips Every SMB Must Know to Saf
Page 81 and 82: where hackers will either change a
Page 83 and 84: From Security-Enhanced 5G Networks
Page 85 and 86:
of intelligence, the latter being d
Page 87 and 88:
About the Author David Soldani rece
Page 89 and 90:
The unpredictability component in c
Page 91 and 92:
anticipating the blind spots of the
Page 93 and 94:
Cybercrime is constantly on the ris
Page 95 and 96:
How Much Will You Have to Pay to Be
Page 97 and 98:
and California Consumer Privacy Act
Page 99 and 100:
It’s Time to Issue Company Passwo
Page 101 and 102:
Non-Enterprise Grade Communication
Page 103 and 104:
How to Communicate with your employ
Page 105 and 106:
Security Issues of Working Remotely
Page 107 and 108:
Another way a leak or theft can hap
Page 109 and 110:
However, new research finds almost
Page 111 and 112:
To Reduce Risk, Feds Need To Reeval
Page 113 and 114:
environment, designed to address wo
Page 115 and 116:
A penetration test has two typical
Page 117 and 118:
Black Box In the event of a real cy
Page 119 and 120:
which represent the highly polarize
Page 121 and 122:
5 Tips to Prevent a Security Breach
Page 123 and 124:
Secrets detection can be added in t
Page 125 and 126:
when it reaches its destination. Th
Page 127 and 128:
Maturity-Based Approach vs. Risk-Ba
Page 129 and 130:
To be successful in using a risk-ba
Page 131 and 132:
About eSentire eSentire Inc., is th
Page 133 and 134:
adjust score weights to ensure fina
Page 135 and 136:
Hostname-based pattern model Traffi
Page 137 and 138:
Cyber Defense eMagazine - August 20
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
You asked, and it’s finally here
Page 145 and 146:
9 Years in The Making… Thank You
Page 147 and 148:
show all

Cyber Defense eMagazine August Edition for 2021

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?